Revil Ransomware Group Disappears After Tor Site Hijack

REvil Ransomware Group's Sudden Disappearance

The REvil ransomware group, a prominent cybercriminal organization with ties to Russia and responsible for significant attacks against Kaseya, Travelex, and JBS, has once again ceased operations. This follows reports that its Tor payment portal and data leak blog were compromised.

Recent Activity and Initial Shutdown

This shutdown occurred just weeks after the group resurfaced following a period of inactivity. The initial hiatus stemmed from pressure exerted by the U.S. government in response to the attack on Kaseya, an incident that impacted thousands of businesses with ransomware.

News of the current disruption was initially shared on a known criminal forum by an individual associated with the REvil operation, as discovered by Dmitry Smilyanets of Recorded Future.

Details of the Compromise

According to the post, the group’s Tor services were hijacked. The attackers reportedly replaced them with a duplicate of REvil’s private keys, likely obtained from an older backup.

The post detailed the attacker’s actions: “The server was compromised, and they were actively searching for me.” It continued, explaining that the attacker modified the Tor service configuration file ("torrc") to redirect traffic to their own server. The author expressed relief that others were not affected and announced their departure.

Possible Perpetrators and FBI Involvement

The identity of those responsible for compromising REvil’s servers remains unclear. A September report in The Washington Post indicated that the FBI had acquired the group’s encryption keys following the Kaseya attack.

However, a planned operation to dismantle the group was reportedly abandoned after REvil initially disappeared. Speculation also points to a potential takeover by a former member known as “Unkn,” or Unknown, a previous spokesperson for the group who did not rejoin when the organization reactivated in September.

Concerns and Speculation

The forum post revealed that the group had initially presumed Unknown to be deceased due to his absence. However, the reappearance of the group’s hidden services using the same keys raised concerns.

“Since there was no confirmation regarding the reason for his absence, we resumed operations, assuming he had passed away,” the threat actor explained. “But today, at 17:10 Moscow time, someone reactivated the hidden services of both the landing page and the blog using keys identical to ours, confirming my suspicions.”

Evidence and Domain Key Access

VX-Underground, a repository for malware-related resources, reported via Twitter that only Unknown and the forum poster possessed REvil’s domain keys. They also noted recent access to the ransomware group’s domain using keys associated with Unknown.

Future of REvil

Whether REvil, which was responsible for the majority of ransomware detections in the second quarter of this year, according to McAfee, is permanently defunct remains uncertain.

Since its unexpected return in September, the group has faced difficulties in attracting new affiliates, leading to an increase in commission rates to incentivize participation.